Users of document management solutions (DML) are subject to legal requirements for the audit-proof storage of documents. Typical core requirements are unalterable archiving, traceability of process flows and long-term formats. These are often accompanied by questions: Can the paper originals be destroyed after archiving? Does the archiving process run properly and on time? Can an archived document still be reproduced true to the original after 10 years?
TÜV NORD carries out technical and organisational tests and certifications tailored to the respective context in order to answer these and other questions about the revision security of your document management system.
Partial solutions - such as scanning processes or archiving systems - can also be certified, provided the interfaces and functional delimitations are clearly documented.
The test criteria for document management solutions (PK-DML) were developed jointly by the VOI (Association of Organisation and Information Systems) and TÜV NORD. They cover all legal and non-legal requirements for a document management solution.
The focus of the PK-DML is on the legally compliant and audit-proof handling of digital documents of all kinds. They consider whether a DML fulfils the following criteria:
If necessary, further regulations, guidelines and standards supplement the test basis.
The current, revised 5th edition of the PK-DML from 2019 can be ordered via the VOI website.
Certification in accordance with PK-DML is particularly suitable for:
A document management system (DMS) is specialised software that can be used to capture, manage, store, retrieve and archive digital documents in a structured and audit-proof manner. Modern DMS solutions integrate seamlessly into existing business processes and support companies in their digital transformation.
For successful PK-DML certification, DMS software should offer the following functions:
These functions are a prerequisite for fulfilling criteria such as traceability, regularity and availability in accordance with PK-DML.
It consists of
and certification.
Time required:
The basis of every PK-DML certification is the process documentation, which must clearly demonstrate how the IT solution fulfils the applicable test criteria.The documentation can also refer to other documents that contain more detailed information, such as security concepts, process descriptions or work instructions.
A complete document review is carried out for initial and recertification. The implementation of the measures described in the documentation is checked in an on-site audit lasting several days.
A full document review is not carried out as part of the surveillance, but approx. 50% of the requirements of the PK-DML are reviewed on site. The focus is on changes since the last audit.
The GoBD (principles of proper accounting and storage of digital documents) form a central legal basis for electronic archiving in Germany. A PK-DML audit takes into account whether your DMS fulfils the requirements of the GoBD - e.g. through audit-proof storage, logging and complete procedural documentation.
The scope of the audit and certification is defined in consultation with the customer; for example, sub-processes or all relevant workflows along the document lifecycle can be considered, e.g:
It is assessed whether these processes are documented, technically secured and implemented in an audit-proof manner.
The certificate is issued by the certification body of TÜV NORD CERT GmbH.
The certificate is valid for 3 years. Initial certification takes place as part of an initial audit in year 1 and 1 surveillance audit in each of years 2 and 3, in which changes to the initial documentation are checked.
The document review contains a maximum of 2 passes, whereby the 2nd document version must be verifiable and certifiable. The on-site audit contains a maximum of one auditable and certifiable run.
The certification can be used for all digital document management processes and the associated IT solutions.
Partial solutions can also be certified, e.g. only the scanning process, the management and processing of files and documents or an archive.
In the case of partial solutions, the interfaces and functional delimitations must be clearly described in the process documentation.
If your DMS solution and the capture process meet the requirements for proper, complete and traceable digitisation in accordance with PK-DML and GoBD, paper documents can generally be destroyed after scanning. This is also known as "replacement scanning" (BSI TR-03138 Replacement scanning (RESISCAN)). An inspection by TÜV NORD gives you legal certainty here.